14,932
edits
Changes
no edit summary
==Principles==
==Principles==
# Never trust, always verify.
# Never trust, always verify.<ref>[https://www.paloaltonetworks.com/cyberpedia/what-is-a-zero-trust-architecture What is a Zero Trust Architecture, Palo Alto Networks]</ref>
# No assumptions about assets or user accounts based solely on their physical or network location or asset ownership.
# No assumptions about assets or user accounts based solely on their physical or network location or asset ownership.
# Protect resources (assets, services, workflows, and network accounts), not network segments.
# Protect resources (assets, services, workflows, and network accounts), not network segments.
:* the policy enforcement point (PEP) enables, terminates, and monitors connections between users and enterprise resources; and
:* the policy enforcement point (PEP) enables, terminates, and monitors connections between users and enterprise resources; and
:* the policy administrator sends commands to the PEP based on policy engine decisions to allow or deny users’ connections to a requested resource.<ref>[https://www.ekransystem.com/en/blog/zero-trust-security-model Zero Trust Security Model, Ekran]</ref>
:* the policy administrator sends commands to the PEP based on policy engine decisions to allow or deny users’ connections to a requested resource.<ref>[https://www.ekransystem.com/en/blog/zero-trust-security-model Zero Trust Security Model, Ekran]</ref>
===Pillars===
The seven pillars in the DOD Zero Trust Architecture include:<ref>[https://dodcio.defense.gov/Portals/0/Documents/Library/(U)ZT_RA_v1.1(U)_Mar21.pdf Zero Trust Reference Architecture V.1 Feb 2021, DOD, pgs 27-28]</ref>
====User====
Securing, limiting, and enforcing person, non-person, and federated entities’ access to DAAS encompasses the use of ICAM capabilities such as multi-factor authentication and continuous multi-factor authentication.
====Device====
The capacity to identify, authenticate, authorize, inventory, isolate, secure, remediate, and control all devices is essential. Real-time attestation
and patching of devices in an enterprise are critical. Possible options include Mobile Device Managers or Comply to Connect programs and assessments for every access request: examinations of compromise state, anomaly detection, software versions, protection status, and encryption enablement.
====Network/Environment====
logically and physically segment everything in order to isolate and control organizations with granular access and policy restrictions.
====Applications/Workload====
This category spans the complete application stack from the application layer to the hypervisor.
====Data====
Zero Trust protects critical DAAS. Thus, organizations must categorize their DAAS in terms of mission criticality.
====Visibility & Analytics====
Details are needed on performance, behavior, and activity baselines across other Zero Trust pillars to detect anomalous behavior and make dynamic changes to
security policy and real-time access decisions.
====Automation & Orchestration====
Enterprises needed to automate manual security processes to take policy-based actions fast and at scale.
==Advantages & Complications==
==Advantages & Complications==